FreeSwan - Linux Based Virtual Private
Network

1. Synopsis

This document describes
both the benefits of using the Freeswan implementation of the
IPSEC based Virtual Private Network and some basic installation instructions.

Freeswan is an implementation of the IPSEC set of protocols. When the word Freeswan
is
referenced, this includes references to IPSEC in general (if that makes any
sense which it shouldn't).

2. Description

2.1 Diagram - Basic
VPN layout

Note: these addresses
are fictional and are used as an example only

2.2 Description of VPN layout

Address

Function

192.168.9.10

Local machine on the
192.168.9.0 network

226.122.11.69

Freeswan Gateway machine
that sits on the 192.168.9.0 network and the internet

226.122.111.1

Internet gateway (usually
provided by an ISP)

111.222.101.1

2nd Internet gateway
(usually provided by the remote users ISP)

111.222.101.15

Remote Freeswan gateway
that sits on both the Internet and the 192.168.0.0 network

192.168.0.5

Remote machine on the
192.168.0.0 network

3. Usage

The primary benefit of using
a VPN is to use the Internet as an active (secured) bridge between two private
networks. In the example above, the network
192.168.9.0 is bridged to the network 192.168.0.0. Normally, there is no communication
between these private networks (Internet routers do not
pass 192.168 addresses). Within a VPN, the basic IP communication is encapsulated
and allowed to pass as if these networks were connected with
a bridge.

The benefit of this "bridge"
is the ability to use the following services in the same way as you would if
the 192.168.9.10 system was directly
connected to the 192.168.0.0 network.email
Intranet web servers
databases - reached via ODBC or JDBC
telnet
nfs
samba

As an added benefit, the
encapsulated communication between these networks can be encrypted so both the
packet payloadand the originating
IP address cannot be easily determined from the IP packets that traverse the
Internet

4. Requirements

These are some basic packages
that you'll need for the installation.
2.1 Freeswan tarball/rpm package from http://www.freeswan.org
(latest is 1.98)
2.2 gmp library from gnu (http://www.swox.com/gmp/)
2.3 Linux Kernel Source (2.4+ or 2.2)

5.3 Configuration Files

The first sets up the communication
parameters between the two Freeswan gateway machines. It is very important
that the communication parameters between the two gateways matches exactly since
these are used as the first
part of a two step authentication process.

The second file (ipsec.secrets) holds RSA signature keys used for each gateway
to identify itself to
the other. Each gateway will have a different ipsec.secrets file (generated
with the next step).

5.5 Update FreeSwan Configuration
Files

Once the RSA signature key
has been generated, it needs to be added to the ipsec.secrets and the ipsec.conf
files. The ipsec.secrets file will contain the whole key generated above. The
ipsec.conf (communication parameters
file) will use the public portion of the sig key.

In the example below, the key
generated above has been added below the line that starts with ": RSA"
( the PSK [pre-shared key] line at the top is used for VPN connections that do
not use the RSA signatures)

IPSEC uses the UDP protocol
500 for the negotiation process and either the two TCP
based protocols on ports 50 and 51.

5.7 Starting the connection

Before any communication
takes place between the VPN gateways, the two gateways have to
negotiate the communication parameters. This process, called the "key exchange"
is where the
the two gateways begin exchanging both connection information (contained within
ipsec.conf) and
identification information. If this process completes successfully, a tunnel
is set up between the
gateways.